This might be interesting also for the cloud services projects (toolforge/cloudvps/...) as we have to manage also many abandoned/unresponsive developer accounts and such :), so please keep in touch whenever tackling this.

Define what it means for an account to be inactive.

What is the thinking that leads to an assumption that "inactive" is actually a valid state for a Developer account? There are certainly humans who have not used their accounts recently for pretty much all definitions of recently. Is that a condition that should invalidate the account? I have never seen any policy stating that folks need to login to Wikitech, Gerrit, Phabricator, or other Developer account linked services with any regularity to avoid their accounts being considered inactive.

the goal being elimination of fake/invalid account.

Both "fake" and "invalid" account status are also undefined as far as I know. Reasonable folks might consider accounts created by bad faith actors to vandalize wikis or perform similar non-constructive actions unwanted certainly, but I don't think even being created by a long term abuser would make a Developer account fraudulent ("fake") or logically inconsequent ("invalid").

Forgive the drive-by comment, but I happened to see this one scroll by in IRC and I wanted to share my (possibly relevant?) experience fighting compromised accounts in a large commercial public cloud.

There are certainly humans who have not used their accounts recently for pretty much all definitions of recently. Is that a condition that should invalidate the account?

Time and again we'd see an account with zero logins in the last few years get compromised, and all of a sudden they'd be maxing out their quotas spinning up cryptominers. So we started using account dormancy (as opposed to "validity") as a heuristic in the fraud detection process.

Eventually we started forcing a "forgot password" type interaction for accounts that were dormant after X amount of time, as well as proactive password scans for compromises.

I don't know if this approach makes sense for our community and I can't speak for @SLyngshede-WMF , but I thought that might be part of the motivation.

In T335478#9417258, @bking wrote:

Time and again we'd see an account with zero logins in the last few years get compromised, and all of a sudden they'd be maxing out their quotas spinning up cryptominers. So we started using account dormancy (as opposed to "validity") as a heuristic in the fraud detection process.

This has not been a problem in the 7+ years that I have been actively working in the Cloud Services project to support our technical community.

@SLyngshede-WMF: Is this a solution in search of a problem maybe? If there is a problem, is there data how big the problem is?

In T335478#9417062, @bd808 wrote:

Define what it means for an account to be inactive.

What is the thinking that leads to an assumption that "inactive" is actually a valid state for a Developer account? There are certainly humans who have not used their accounts recently for pretty much all definitions of recently. Is that a condition that should invalidate the account? I have never seen any policy stating that folks need to login to Wikitech, Gerrit, Phabricator, or other Developer account linked services with any regularity to avoid their accounts being considered inactive.

The concrete use case here is the detection of inactive users with a volunteer NDA so that we can reach out and potentially remove unneeded PII-relevant access if the user's interests have shifted. All other community accounts are intended to be used to infinity and beyond (unless they have to be disabled for abusive behaviour.

I'll update the task description to hopefully reduce the confusion.